Third_Degree Posted July 23, 2008 Share Posted July 23, 2008 are you talking about html third_degree? no it doesnt strip_tags($variable,'allowed html tags here') I'm talking about all characters in general, user i/o scripts in my opinion should be as lossless as possible. Link to comment Share on other sites More sharing options...
aseaofflames Posted July 23, 2008 Share Posted July 23, 2008 off topic suggestion: you might not want to put your (or your client's) email in plain text on the contact page. It makes it an easy target for spam. Link to comment Share on other sites More sharing options...
dannyb785 Posted July 23, 2008 Author Share Posted July 23, 2008 ^ That was actually done by them. each page is custom edit-able by them so they can choose to put whatever they want. I can only suggest they not do it, but I cant change it Link to comment Share on other sites More sharing options...
LemonInflux Posted July 23, 2008 Share Posted July 23, 2008 Full path disclosure: Fatal error: Call to undefined function html_entities() in /home2/xausfco/public_html/calendar.php on line 9 Also, not really a hack, but can you try to correct the javascript so it's unobtrusive? The slideshows don't work without JS. Try using an image in noscript tags. ---------------- Now playing: Rage Against The Machine - Tire Me via FoxyTunes Link to comment Share on other sites More sharing options...
dannyb785 Posted July 23, 2008 Author Share Posted July 23, 2008 Full path disclosure: Fatal error: Call to undefined function html_entities() in /home2/xausfco/public_html/calendar.php on line 9 Also, not really a hack, but can you try to correct the javascript so it's unobtrusive? The slideshows don't work without JS. Try using an image in noscript tags. ---------------- Now playing: Rage Against The Machine - Tire Me via FoxyTunes Thank you for catching those 2! I got them both fixed. Very helpful Link to comment Share on other sites More sharing options...
darkfreaks Posted July 23, 2008 Share Posted July 23, 2008 danny are you using strip_tags on calendar.php? because my scanner is still picking up cross site scripting on it. to be more specific you can inject javascript into the year variable Link to comment Share on other sites More sharing options...
darkfreaks Posted July 23, 2008 Share Posted July 23, 2008 Also just a suggestion but the poll goes away after voting is there a way you could display the results? Link to comment Share on other sites More sharing options...
dannyb785 Posted July 24, 2008 Author Share Posted July 24, 2008 danny are you using strip_tags on calendar.php? because my scanner is still picking up cross site scripting on it. to be more specific you can inject javascript into the year variable Also just a suggestion but the poll goes away after voting is there a way you could display the results? I did htmlentities bc I thought that by doing it, it erased any chance of using js/html. Do I need to use both? And I know what you mean about displaying results... that's been me being lazy. I'll get to it by tomorrow night Link to comment Share on other sites More sharing options...
Third_Degree Posted July 24, 2008 Share Posted July 24, 2008 Don't use both just use print htmlentities( $var, ENT_QUOTES ); Link to comment Share on other sites More sharing options...
dannyb785 Posted July 24, 2008 Author Share Posted July 24, 2008 Also just a suggestion but the poll goes away after voting is there a way you could display the results? Haha and I just caught why you want me to do it... you wanna see the damage you've caused Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2008 Share Posted July 24, 2008 what? no seriously the poll dissappears after you vote Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2008 Share Posted July 24, 2008 also html entities does not strip out javascript it just prints in text instead of executing , i would personally use strip_tags() Link to comment Share on other sites More sharing options...
Third_Degree Posted July 24, 2008 Share Posted July 24, 2008 also html entities does not strip out javascript it just prints in text instead of executing , i would personally use strip_tags() What if someone needs to search for HTML/Javascript? It might not be likely on the OP's site, but on others, such as this forum, it is an absolute necessity. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2008 Share Posted July 24, 2008 if he needs to allow html/javascript tage he can do strip_tags($var,'html/javascript tags allowed here'); which solves the problem Link to comment Share on other sites More sharing options...
Third_Degree Posted July 24, 2008 Share Posted July 24, 2008 if he needs to allow html/javascript tage he can do strip_tags($var,'html/javascript tags allowed here'); which solves the problem You clearly don't get what I am saying. Sites a lot of times need to use/display EXACTLY what a user inputs. Also, you said that you wanted to stop javascript execution, it's not stopped if you allow "'html/javascript tags allowed here'". But whatever, the conversation is a little irrevelant, I guess it all comes down to a matter of preference. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2008 Share Posted July 24, 2008 if he needs to allow html/javascript tage he can do strip_tags($var,'html/javascript tags allowed here'); which solves the problem You clearly don't get what I am saying. Sites a lot of times need to use/display EXACTLY what a user inputs. Also, you said that you wanted to stop javascript execution, it's not stopped if you allow "'html/javascript tags allowed here'". But whatever, the conversation is a little irrevelant, I guess it all comes down to a matter of preference. okay what you said does not make sense why would you want to inject javascript into a calendar? its dangerous! end of story! i would not allow any sort of javascript even in the allowed tags part. that is securing a script from cross site scripting. Link to comment Share on other sites More sharing options...
Third_Degree Posted July 24, 2008 Share Posted July 24, 2008 1.Ok I said earlier that it's not that big of a deal on this site, but is for others. 2.In my first post in this thread I said stop the cross site scripting...so yeah... 3.You said 'allowed javascript'... 4.htmlentities with the ENT_QUOTES parameter stops cross site scripting with no loss of user input when displayed as text. Period. But like I said, I don't want to argue with you, just want to give the OP another option. Link to comment Share on other sites More sharing options...
dannyb785 Posted July 24, 2008 Author Share Posted July 24, 2008 what? no seriously the poll dissappears after you vote Lol I know. but I figured if you were the one doing a few thousand votes, that you'd wanna see the results reflect that Link to comment Share on other sites More sharing options...
dannyb785 Posted July 24, 2008 Author Share Posted July 24, 2008 1.Ok I said earlier that it's not that big of a deal on this site, but is for others. 2.In my first post in this thread I said stop the cross site scripting...so yeah... 3.You said 'allowed javascript'... 4.htmlentities with the ENT_QUOTES parameter stops cross site scripting with no loss of user input when displayed as text. Period. But like I said, I don't want to argue with you, just want to give the OP another option. I went ahead and did the ENT_QUOTES parameter for my htmlentities function. thank you for it, I wasn't aware of it. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2008 Share Posted July 24, 2008 LOL no i wasnt aware of that i just voted once and then the whole thing dissappeared :-\ Link to comment Share on other sites More sharing options...
dannyb785 Posted July 24, 2008 Author Share Posted July 24, 2008 ^ oh lol gotcha. I guess you weren't the one who was doing the mass votes. I have the results appearing now, I just need to make it look nice possibly with bars, or atleast aligning them evenly Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2008 Share Posted July 24, 2008 erm i only voted once ??? Link to comment Share on other sites More sharing options...
dannyb785 Posted July 24, 2008 Author Share Posted July 24, 2008 ^ haha, well someone out there has voted a few thousand times. And can someone tell me how they're masking their ip? In my ip-tracking column, sometimes there's "<script>blahblah</script>" among other interesting stuff, but it's a field that the user had no control of(atleast I thought) Link to comment Share on other sites More sharing options...
Third_Degree Posted July 24, 2008 Share Posted July 24, 2008 !! You MUST use mysql_real_escape_string() if you are logging IPs. VERY dangerous. The remote address part of an http socket connection is just as "spoofable" as the user agent or any part of the HTTP request. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 24, 2008 Share Posted July 24, 2008 because javascript is not being stripped it is probably my scanner testing for exploits. i was not aware it directly tested the code :-\ Link to comment Share on other sites More sharing options...
Recommended Posts